forked from AndyTaylorTweet/Pi-Star_Binaries_sbin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
pistar-firewall
executable file
·379 lines (312 loc) · 19.2 KB
/
pistar-firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
#!/bin/bash
########################################################################################
# #
# This is a basic firewall script written by Andy Taylor (MW0MWZ) #
# #
# There are two purposes to this script; 1. Keeping your Pi-Star safe #
# and just as important, 2. Prioritising the voice traffic. #
# #
########################################################################################
printf "Setting IPv4 Rules...\n"
#
# IPv4 Firewall Rules
#
# Flush all existing chains
iptables -t nat -F
iptables -t mangle -F
iptables --flush
iptables -X
# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# If there are custom rules, pull them in here
if [ -f "/root/ipv4.fw" ]
then
echo "Custom IPv4 Firewall rules loaded..."
source /root/ipv4.fw
fi
# Allow Outbound System Ports (for updates mostly)
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT # FTP (Updates)
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # SSH (Used by GIT)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS (DNS Domain Lookups)
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP (Updates)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # NTP (Network Time)
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS (Updates)
iptables -A OUTPUT -p tcp --dport 9418 -j ACCEPT # GIT Port (Used by GIT)
iptables -A OUTPUT -p tcp --dport 11371 -j ACCEPT # Used for APT to obtain Keys
iptables -A OUTPUT -p tcp --dport 8080 -j ACCEPT # for Speedtest
# Allow Outbound D-Star Control Ports
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # DNS (DNS Zone Transfer - Used by xreflector.net)
iptables -A OUTPUT -p tcp --dport 9007 -j ACCEPT # ircDDB Servers (Callsign Routing)
iptables -A OUTPUT -p tcp --dport 14580 -j ACCEPT # D-PRS Position Info
iptables -A OUTPUT -d 176.10.105.252 -p tcp --dport 20001 -j REJECT # Deliberately block access to dns.xreflector.net
iptables -A OUTPUT -p tcp --dport 20001 -j ACCEPT # D-Plus Outbound Links
# D-Star Voice to and from Icom RP2C controllers
iptables -A OUTPUT -p udp -d 192.168.0.0/16 --dport 20000 -j ACCEPT # Voice Packets out to Icom PR2C
iptables -A OUTPUT -p udp -d 172.16.0.0/12 --dport 20000 -j ACCEPT # Voice Packets out to Icom PR2C
iptables -A OUTPUT -p udp -d 10.0.0.0/8 --dport 20000 -j ACCEPT # Voice Packets out to Icom PR2C
iptables -A INPUT -p udp -s 192.168.0.0/16 --dport 20000 -j ACCEPT # Voice Packets in from Icom PR2C
iptables -A INPUT -p udp -s 172.16.0.0/12 --dport 20000 -j ACCEPT # Voice Packets in from Icom PR2C
iptables -A INPUT -p udp -s 10.0.0.0/8 --dport 20000 -j ACCEPT # Voice Packets in from Icom PR2C
iptables -t mangle -A POSTROUTING -p udp --dport 20000 -j DSCP --set-dscp 46
# Allow Outbound D-Star Voice Ports (Set the DSCP Markers to EF)
iptables -A OUTPUT -p udp --dport 20001:20007 -j ACCEPT # D-Plus Outbound Voice
iptables -A OUTPUT -p udp --dport 30001:30007 -j ACCEPT # DExtra Outbound Voice
iptables -A OUTPUT -p udp --dport 30051:30057 -j ACCEPT # DCS Outbound Voice
iptables -A OUTPUT -p udp --dport 30061:30064 -j ACCEPT # CCS Voice
iptables -A OUTPUT -p udp --dport 40000 -j ACCEPT # Icom G2 Callsign Routing
iptables -t mangle -A POSTROUTING -p udp --dport 20001:20007 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 30001:30007 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 30051:30057 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 30061:30064 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 40000 -j DSCP --set-dscp 46
# Allow Outbound DMR Ports
#iptables -A OUTPUT -p udp --dport 55555 -j ACCEPT # DMR+ Networking
iptables -A OUTPUT -p udp --dport 55550:55580 -j ACCEPT # HB Link France Networking
iptables -A OUTPUT -p udp --dport 62031 -j ACCEPT # DMR (BrandMeister) Networking
#iptables -t mangle -A POSTROUTING -p udp --dport 55555 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 55550:55580 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 62031 -j DSCP --set-dscp 46
iptables -A OUTPUT -p tcp --dport 5040 -j ACCEPT # tgif.network API
# Allow Outbound XLX Ports
iptables -A OUTPUT -p udp --dport 62030 -j ACCEPT # XLX Networking
iptables -t mangle -A POSTROUTING -p udp --dport 62030 -j DSCP --set-dscp 46
# Allow Outbound YSFGateway Ports
iptables -A OUTPUT -p udp --dport 42000:43000 -j ACCEPT # YSF Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --dport 42000:43000 -j DSCP --set-dscp 46
# Allow Outbound FCS Ports
iptables -A OUTPUT -p udp --sport 42001 --dport 62500 -j ACCEPT # FCS Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --sport 42001 --dport 62500 -j DSCP --set-dscp 46
# Allow Outbound P25Gateway Ports
iptables -A OUTPUT -p udp --dport 41000:41010 -j ACCEPT # P25 Outbound Connections
iptables -A OUTPUT -p udp --dport 41720 -j ACCEPT # P25 Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --dport 41000:41010 -j DSCP --set-dscp 46
iptables -t mangle -A POSTROUTING -p udp --dport 41720 -j DSCP --set-dscp 46
# Allow Outbound NXDNGateway Ports
iptables -A OUTPUT -p udp --dport 41400 -j ACCEPT # NXDN Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --dport 41400 -j DSCP --set-dscp 46
iptables -A OUTPUT -p udp --dport 42400 -j ACCEPT # NXDN Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --dport 42400 -j DSCP --set-dscp 46
iptables -A OUTPUT -p udp --dport 41500 -j ACCEPT # NXDN Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --dport 41500 -j DSCP --set-dscp 46
iptables -A OUTPUT -p udp --sport 14050 -j ACCEPT # NXDN Outbound Connections
iptables -t mangle -A POSTROUTING -p udp --sport 14050 -j DSCP --set-dscp 46
# Allow Outbound DAPNet ports
iptables -A OUTPUT -p tcp --dport 43434 -j ACCEPT # DAPNet Outbound Connections
# Allow Outbound M17Gateway Ports
iptables -A OUTPUT -p udp --dport 17000 -j ACCEPT # M17Gateway Outbound Connections
# Allow Inbound Services
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP Allow the D-Star Portal Access
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS Allow the D-Star Portal Access
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT # SMB Access (Local Networks Only)
iptables -A INPUT -p tcp -s 172.16.0.0/12 --dport 445 -j ACCEPT # SMB Access (Local Networks Only)
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 445 -j ACCEPT # SMB Access (Local Networks Only)
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT # HTTP Allow the Raspicontrol Portal Access
iptables -A INPUT -p udp --dport 10022 -j ACCEPT # D-Star ircDDBGateway remote
iptables -A INPUT -p udp --dport 2460 -j ACCEPT # AMBEServer Port (Used by DVCast / DR2G AMBE)
# Allow access to shellinabox - if installed
if [ -f "/etc/default/shellinabox" ]
then
iptables -A INPUT -p tcp --dport `grep -m 1 'SHELLINABOX_PORT=' /etc/default/shellinabox | awk -F '=' '/SHELLINABOX_PORT=/ {print $2}'` -j ACCEPT
fi
# Setup rules for HostAPD if enabled
if [ -f "/etc/hostapd/hostapd.conf" ]
then
iptables -A INPUT -i wlan0_ap -p udp --dport 67:68 -j ACCEPT # DHCP Server
iptables -A OUTPUT -o wlan0_ap -p udp --dport 67:68 -j ACCEPT # DHCP Server
iptables -A INPUT -i wlan0_ap -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j ACCEPT # Allow all traffic through Pi
iptables -A INPUT -i wlan0_ap -s 192.168.50.0/24 -d 192.168.50.1 -p udp --dport 53 -j ACCEPT # DNSMASQ DNS Server
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE # Internet access Via Pi Connection
fi
# Allow Local Network Name Resolution
iptables -A OUTPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT # AVAHI Daemon (Name Resolution)
iptables -A INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT # AVAHI Daemon (Name Resolution)
iptables -A OUTPUT -p udp --dport 137:138 -j ACCEPT # NETBIOS Name Resolution Broadcast Out
iptables -A INPUT -p udp --dport 137:138 -j ACCEPT # NETBIOS Name Resolution Broadcast In
iptables -A INPUT -p tcp --dport 139 -j ACCEPT # NETBIOS TCP Session In
# ALlow some DHCP related chatter
iptables -A INPUT -p udp --dport 68 -j ACCEPT # UDP directed DHCP Packets
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT # DHCP Packets
# Allow uPnP Firewall Configuration
iptables -A OUTPUT -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT # uPnP Packets
iptables -A INPUT -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT # uPnP Packets
iptables -A INPUT -p udp -s 192.168.0.0/16 --sport 1900 -j ACCEPT # uPnP Packets
iptables -A INPUT -p udp -s 172.16.0.0/12 --sport 1900 -j ACCEPT # uPnP Packets
iptables -A INPUT -p udp -s 10.0.0.0/8 --sport 1900 -j ACCEPT # uPnP Packets
iptables -A OUTPUT -p tcp -d 192.168.0.0/16 --dport 1025:65535 -j ACCEPT # uPnP Packets
iptables -A OUTPUT -p tcp -d 172.16.0.0/12 --dport 1025:65535 -j ACCEPT # uPnP Packets
iptables -A OUTPUT -p tcp -d 10.0.0.0/8 --dport 1025:65535 -j ACCEPT # uPnP Packets
# Allow ICMP Ping
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow ICMP echo-request in
iptables -A OUTPUT -p icmp --icmp-type 8 -d 0/0 -m state --state NEW -j ACCEPT # Allow ICMP echo-request out
iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ICMP echo-reply out
# Allow Inbound D-Star Voice Ports
iptables -A INPUT -p udp --dport 20001:20007 -j ACCEPT # D-Plus Linking
iptables -A INPUT -p udp --dport 30001:30007 -j ACCEPT # DExtra Linking
iptables -A INPUT -p udp --dport 30051:30057 -j ACCEPT # DCS Linking
iptables -A INPUT -p udp --dport 30061:30064 -j ACCEPT # CCS
iptables -A INPUT -p udp --dport 40000 -j ACCEPT # Icom G2 Callsign Routing
# Allow Inbound YSF Gateway Ports
iptables -A INPUT -p udp --sport 42000:43000 --dport 1024:65535 -j ACCEPT # YSF Gateway Routing
iptables -A INPUT -p udp --sport 52000 --dport 1024:65535 -j ACCEPT # YSF Gateway Routing
# Allow Inbound P25 Gateway Ports
iptables -A INPUT -p udp --sport 41000:41010 --dport 32768:60999 -j ACCEPT # P25 Gateway Routing
# Allow M17 Inbound Ports
iptables -A INPUT -p udp --dport 17000 -j ACCEPT # M17 mrefd
iptables -A INPUT -p udp --dport 17010 -j ACCEPT # M17 M17Gateway
# Set up debug logging for incoming traffic.
iptables -N LOGNDROP
iptables -A INPUT -j LOGNDROP
#iptables -A LOGNDROP -j LOG
iptables -A LOGNDROP -j DROP
# Save our firewall rules
iptables-save > /etc/iptables.rules
# Give the user some output
iptables --list
printf "\nSetting IPv6 Rules...\n"
#
# IPv6 Rules Start here
#
# Flush existing chains
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables --flush
ip6tables -X
# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT
# Allow multicast
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT
# Allow ICMP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
# Allow active sessions
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# If there are custom rules, pull them in here
if [ -f "/root/ipv6.fw" ]
then
echo "Custom IPv6 Firewall rules loaded..."
source /root/ipv6.fw
fi
# Allow Outbound System Ports (for updates mostly)
ip6tables -A OUTPUT -p tcp --dport 21 -j ACCEPT # FTP (Updates)
ip6tables -A OUTPUT -p tcp --dport 22 -j ACCEPT # SSH (Used by GIT)
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS (DNS Domain Lookups)
ip6tables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP (Updates)
ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT # NTP (Network Time)
ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS (Updates)
ip6tables -A OUTPUT -p tcp --dport 9418 -j ACCEPT # GIT Port (Used by GIT)
ip6tables -A OUTPUT -p tcp --dport 11371 -j ACCEPT # Used for APT to obtain Keys
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT # DNS (DNS Zone Transfer - Used by xreflector.net)
# Allow Inbound Services
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP Allow the D-Star Portal Access
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS Allow the D-Star Portal Access
ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT # SMB Access
ip6tables -A INPUT -p udp --dport 10022 -j ACCEPT # D-Star ircDDBGateway remote
ip6tables -A INPUT -p udp --dport 2460 -j ACCEPT # AMBEServer Port (Used by DVCast / DR2G AMBE)
# Allow access to shellinabox - if installed
if [ -f "/etc/default/shellinabox" ]
then
ip6tables -A INPUT -p tcp --dport `grep -m 1 'SHELLINABOX_PORT=' /etc/default/shellinabox | awk -F '=' '/SHELLINABOX_PORT=/ {print $2}'` -j ACCEPT
fi
# Allow Local Network Name Resolution
ip6tables -A OUTPUT -p udp -d ff02::fb --dport 5353 -j ACCEPT # AVAHI Daemon (Name Resolution)
ip6tables -A INPUT -p udp -d ff02::fb --dport 5353 -j ACCEPT # AVAHI Daemon (Name Resolution)
ip6tables -A OUTPUT -p udp --dport 137 -j ACCEPT # NETBIOS Name Resolution Broadcast Out
ip6tables -A INPUT -p udp --dport 137 -j ACCEPT # NETBIOS Name Resolution Broadcast In
ip6tables -A OUTPUT -p udp --dport 138 -j ACCEPT # NETBIOS Datagram Out
ip6tables -A INPUT -p udp --dport 138 -j ACCEPT # NETBIOS Datagram In
ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT # NETBIOS TCP Session In
# Allow uPnP Firewall Configuration
ip6tables -A OUTPUT -p udp -s fe80::/64 -d fe80::/64 --dport 1025:65535 -j ACCEPT # uPnP Packets
ip6tables -A INPUT -p udp -s fe80::/64 -d fe80::/64 --sport 1900 -j ACCEPT # uPnP Packets
# Allow Outbound D-Star Control Ports
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT # DNS Zone Transfer - Used by xreflector.net
ip6tables -A OUTPUT -p tcp --dport 9007 -j ACCEPT # ircDDB Servers (Callsign Routing)
ip6tables -A OUTPUT -p tcp --dport 14580 -j ACCEPT # D-PRS Position Info
ip6tables -A OUTPUT -p tcp --dport 20001 -j ACCEPT # D-Plus Outbound Links
# Allow Outbound D-Star Voice Ports (Set the DSCP Markers to EF)
ip6tables -A OUTPUT -p udp --dport 20001:20007 -j ACCEPT # D-Plus Outbound Links
ip6tables -A OUTPUT -p udp --dport 30001:30007 -j ACCEPT # DExtra Outbound Links
ip6tables -A OUTPUT -p udp --dport 30051:30057 -j ACCEPT # DCS Outbound Links
ip6tables -A OUTPUT -p udp --dport 30061:30064 -j ACCEPT # CCS
ip6tables -A OUTPUT -p udp --dport 40000 -j ACCEPT # Icom G2 Callsign Routing
ip6tables -t mangle -A POSTROUTING -p udp --dport 20001:20007 -j DSCP --set-dscp 46
ip6tables -t mangle -A POSTROUTING -p udp --dport 30001:30007 -j DSCP --set-dscp 46
ip6tables -t mangle -A POSTROUTING -p udp --dport 30051:30057 -j DSCP --set-dscp 46
ip6tables -t mangle -A POSTROUTING -p udp --dport 30061:30064 -j DSCP --set-dscp 46
ip6tables -t mangle -A POSTROUTING -p udp --dport 40000 -j DSCP --set-dscp 46
# Allow Outbound DMR Voice Ports
ip6tables -A OUTPUT -p udp --dport 55550:55580 -j ACCEPT # HB France Networking
ip6tables -A OUTPUT -p udp --dport 62031 -j ACCEPT # DMR (BrandMeister) Networking
ip6tables -t mangle -A POSTROUTING -p udp --dport 55550:55580 -j DSCP --set-dscp 46
ip6tables -t mangle -A POSTROUTING -p udp --dport 62031 -j DSCP --set-dscp 46
# Allow Outbound XLX Voice Ports
ip6tables -A OUTPUT -p udp --dport 62030 -j ACCEPT # XLX Networking
ip6tables -t mangle -A POSTROUTING -p udp --dport 62030 -j DSCP --set-dscp 46
# Allow Outbound YSF Ports
ip6tables -A OUTPUT -p udp --dport 42000:43000 -j ACCEPT # YSF Networking
ip6tables -t mangle -A POSTROUTING -p udp --dport 42000:43000 -j DSCP --set-dscp 46
# Allow Outbound FCS Ports
ip6tables -A OUTPUT -p udp --sport 42001 --dport 62500 -j ACCEPT # FCS Outbound Connections
ip6tables -t mangle -A POSTROUTING -p udp --sport 42001 --dport 62500 -j DSCP --set-dscp 46
# Allow Outbound P25 Ports
ip6tables -A OUTPUT -p udp --dport 41000:41010 -j ACCEPT # P25 Networking
ip6tables -t mangle -A POSTROUTING -p udp --dport 41000:41010 -j DSCP --set-dscp 46
# Allow Outbound NXDNGateway Ports
ip6tables -A OUTPUT -p udp --dport 41400 -j ACCEPT # NXDN Outbound Connections
ip6tables -t mangle -A POSTROUTING -p udp --dport 41400 -j DSCP --set-dscp 46
ip6tables -A OUTPUT -p udp --dport 42400 -j ACCEPT # NXDN Outbound Connections
ip6tables -t mangle -A POSTROUTING -p udp --dport 42400 -j DSCP --set-dscp 46
ip6tables -A OUTPUT -p udp --dport 41400 -j ACCEPT # NXDN Outbound Connections
ip6tables -t mangle -A POSTROUTING -p udp --dport 41400 -j DSCP --set-dscp 46
ip6tables -A OUTPUT -p udp --sport 14050 -j ACCEPT # NXDN Outbound Connections
ip6tables -t mangle -A POSTROUTING -p udp --sport 14050 -j DSCP --set-dscp 46
# Allow Outbound DAPNet ports
ip6tables -A OUTPUT -p tcp --dport 43434 -j ACCEPT # DAPNet Outbound Connections
# Allow Outbound M17Gateway Ports
ip6tables -A OUTPUT -p udp --dport 17000 -j ACCEPT # M17Gateway Outbound Connections
# Allow Inbound D-Star Voice Ports
ip6tables -A INPUT -p udp --dport 20001:20007 -j ACCEPT # D-Plus Linking
ip6tables -A INPUT -p udp --dport 30001:30007 -j ACCEPT # DExtra Linking
ip6tables -A INPUT -p udp --dport 30051:30057 -j ACCEPT # DCS Linking
ip6tables -A INPUT -p udp --dport 30061:30064 -j ACCEPT # CCS
ip6tables -A INPUT -p udp --dport 40000 -j ACCEPT # Icom G2 Callsign Routing
# Allow Inbound YSF Gateway Ports
ip6tables -A INPUT -p udp --sport 42000:43000 --dport 1024:65535 -j ACCEPT # YSF Gateway Routing
ip6tables -A INPUT -p udp --sport 52000 --dport 1024:65535 -j ACCEPT # YSF Gateway Routing
# Allow Inbound P25 Gateway Ports
ip6tables -A INPUT -p udp --sport 41000:41010 --dport 32768:60999 -j ACCEPT # P25 Gateway Routing
# Allow M17 Inbound Ports
ip6tables -A INPUT -p udp --dport 17000 -j ACCEPT # M17 mrefd
ip6tables -A INPUT -p udp --dport 17010 -j ACCEPT # M17 M17Gateway
# Set up debug logging for incoming traffic.
ip6tables -N LOGNDROP
ip6tables -A INPUT -j LOGNDROP
#ip6tables -A LOGNDROP -j LOG
ip6tables -A LOGNDROP -j DROP
# Save settings
ip6tables-save > /etc/ip6tables.rules
# List rules
ip6tables --list
# echo a blank line
printf "\n"